diff options
| author | rwatson <rwatson@FreeBSD.org> | 2008-08-23 15:26:36 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2008-08-23 15:26:36 +0000 |
| commit | 78a117e6fa3ea5484baa385417846432dcafd758 (patch) | |
| tree | 5219c0b4d17dd1dcbcb5fda367c1905a0929ee2b /sys/kern/kern_exec.c | |
| parent | 36dc0db8e1fa12d3f6a38164a5fb1ae82fc45eba (diff) | |
| download | FreeBSD-src-78a117e6fa3ea5484baa385417846432dcafd758.zip FreeBSD-src-78a117e6fa3ea5484baa385417846432dcafd758.tar.gz | |
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
Diffstat (limited to 'sys/kern/kern_exec.c')
| -rw-r--r-- | sys/kern/kern_exec.c | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 0997949..0d1e871 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -336,7 +336,7 @@ do_execve(td, args, mac_p) int vfslocked; int textset; #ifdef MAC - struct label *interplabel = NULL; + struct label *interpvplabel = NULL; int will_transition; #endif #ifdef HWPMC_HOOKS @@ -494,8 +494,7 @@ interpret: if (args->fname != NULL) NDFREE(ndp, NDF_ONLY_PNBUF); #ifdef MAC - interplabel = mac_vnode_label_alloc(); - mac_vnode_copy_label(binvp->v_label, interplabel); + mac_execve_interpreter_enter(binvp, &interpvplabel); #endif if (imgp->opened) { VOP_CLOSE(binvp, FREAD, td->td_ucred, td); @@ -627,7 +626,7 @@ interpret: attr.va_gid; #ifdef MAC will_transition = mac_vnode_execve_will_transition(oldcred, imgp->vp, - interplabel, imgp); + interpvplabel, imgp); credential_changing |= will_transition; #endif @@ -681,7 +680,7 @@ interpret: #ifdef MAC if (will_transition) { mac_vnode_execve_transition(oldcred, newcred, imgp->vp, - interplabel, imgp); + interpvplabel, imgp); } #endif /* @@ -880,8 +879,7 @@ exec_fail: done2: #ifdef MAC mac_execve_exit(imgp); - if (interplabel != NULL) - mac_vnode_label_free(interplabel); + mac_execve_interpreter_exit(interpvplabel); #endif VFS_UNLOCK_GIANT(vfslocked); exec_free_args(args); |
